LastPass fixes just-discovered vulnerabilities

Security bugs in the password manager that could have led to passwords being stolen were fixed in less than day, according to the researcher who found them.

Lori Grunin Senior Editor / Advice
I've been reviewing hardware and software, devising testing methodology and handed out buying advice for what seems like forever; I'm currently absorbed by computers and gaming hardware, but previously spent many years concentrating on cameras. I've also volunteered with a cat rescue for over 15 years doing adoptions, designing marketing materials, managing volunteers and, of course, photographing cats.
Expertise Photography, PCs and laptops, gaming and gaming accessories
Lori Grunin

Well, that was fast.


Tavis Ormandy, a vulnerability researcher at Google, announced Tuesday that a vulnerability he'd found a day earlier in the Chrome and Firefox plug-ins for the LastPass password manager had been resolved. The vulnerability could have led to passwords being stolen, he said.

LastPass, which allows you to use one master password and keeps your individual passwords in what it calls its "encrypted vault," responded to Ormandy's notice with a workaround. The company tweeted that it was working on a permanent fix.

Ormandy, who has uncovered problems with the software in the past, made details of the bug public after it was initially fixed.

In the meantime, Ormandy found another password-related vulnerability -- and that, too, was addressed.

"The fixes are being pushed to all users and most should be updated automatically," LastPass said in a blog post Wednesday about the vulnerabilities that Ormandy found. "We have no indication that any of the reported vulnerabilities were exploited in the wild, but we're doing a thorough review at this time to confirm. ... No password changes are required of users at this time."

Here's how it played out on Twitter:

Assuming that any software is secure is a bad bet these days. That's why I mentally encode all my important passwords and only include cryptic hints in my password manager. To make room for all that, though, I've had to forget people's birthdays.